Download the full version of the textbook now at textbookfull.

com

Distributed Denial of Service Attacks Real

world Detection and Mitigation 1st Edition
■lker Özçelik

https://textbookfull.com/product/distributed-
denial-of-service-attacks-real-world-detection-
and-mitigation-1st-edition-ilker-ozcelik/

Explore and download more textbook at https://textbookfull.com

 Recommended digital products (PDF, EPUB, MOBI) that
you can download immediately if you are interested.

Microbiological Corrosion of Buildings-A Guide to

Detection, Health Hazards, and Mitigation 1st Edition
Rafa■ L. Górny (Editor)
https://textbookfull.com/product/microbiological-corrosion-of-
buildings-a-guide-to-detection-health-hazards-and-mitigation-1st-
edition-rafal-l-gorny-editor/
textbookfull.com

Optimization in the Real World Toward Solving Real World

Optimization Problems 1st Edition Katsuki Fujisawa

https://textbookfull.com/product/optimization-in-the-real-world-
toward-solving-real-world-optimization-problems-1st-edition-katsuki-
fujisawa/
textbookfull.com

Distributed Real Time Architecture for Mixed Criticality

Systems 1st Edition Hamidreza Ahmadian (Editor)

https://textbookfull.com/product/distributed-real-time-architecture-
for-mixed-criticality-systems-1st-edition-hamidreza-ahmadian-editor/

textbookfull.com

Digital Technologies Sustainable Innovations for Improving

Teaching and Learning 1st Edition Demetrios Sampson

https://textbookfull.com/product/digital-technologies-sustainable-
innovations-for-improving-teaching-and-learning-1st-edition-demetrios-
sampson/
textbookfull.com
Proceedings of the 41st International Conference on
Advanced Ceramics and Composites 1st Edition Waltraud M.
Kriven Et Al. (Eds.)
https://textbookfull.com/product/proceedings-of-the-41st-
international-conference-on-advanced-ceramics-and-composites-1st-
edition-waltraud-m-kriven-et-al-eds/
textbookfull.com

Translation Humour and Literature Translation and Humour

Delia Chiaro

https://textbookfull.com/product/translation-humour-and-literature-
translation-and-humour-delia-chiaro/

textbookfull.com

The Hermetic Tree of Life 2nd Edition William R. Mistele

https://textbookfull.com/product/the-hermetic-tree-of-life-2nd-
edition-william-r-mistele/

textbookfull.com

History Fiction or Science The dynastic parallelism method

Rome Troy Greece The Bible Chronological shifts Chronology
Volume 2 2nd Edition Dr Vladimir V Kalachnikov
https://textbookfull.com/product/history-fiction-or-science-the-
dynastic-parallelism-method-rome-troy-greece-the-bible-chronological-
shifts-chronology-volume-2-2nd-edition-dr-vladimir-v-kalachnikov/
textbookfull.com

Practical Azure Application Development: A Step-by-Step

Approach to Build Feature-Rich Cloud-Ready Solutions 1st
Edition Thurupathan Vijayakumar (Auth.)
https://textbookfull.com/product/practical-azure-application-
development-a-step-by-step-approach-to-build-feature-rich-cloud-ready-
solutions-1st-edition-thurupathan-vijayakumar-auth/
textbookfull.com
Soil, Plant and Atmosphere: Concepts, Processes and
Applications Klaus Reichardt

https://textbookfull.com/product/soil-plant-and-atmosphere-concepts-
processes-and-applications-klaus-reichardt/

textbookfull.com
Distributed Denial of
Service Attacks
 Distributed Denial of
Service Attacks
Real-world Detection and Mitigation

Richard R. Brooks
Professor
Holcombe Department of Electrical and Computer Engineering
Clemson University

İlker Özçelik
Assistant Professor
Department of Computer Engineering
Recep Tayyip Erdogan University
MATLAB R is a trademark of The MathWorks, Inc. and is used with permission. The Mathworks does not
warrant the accuracy of the text or exercises in this book. This book’s use or discussion of MATLAB R
software or related products does not constitute endorsement or sponsorship by The MathWorks of a par-
ticular pedagogical approach or particular use of the MATLAB R software.

First edition published 2020

by CRC Press
6000 Broken Sound Parkway NW, Suite 300, Boca Raton, FL 33487-2742

and by CRC Press

2 Park Square, Milton Park, Abingdon, Oxon, OX14 4RN

c 2020 Taylor & Francis Group, LLC

CRC Press is an imprint of Taylor & Francis Group, LLC

Reasonable efforts have been made to publish reliable data and information, but the author and publisher
cannot assume responsibility for the validity of all materials or the consequences of their use. The authors
and publishers have attempted to trace the copyright holders of all material reproduced in this publication
and apologize to copyright holders if permission to publish in this form has not been obtained. If any
copyright material has not been acknowledged please write and let us know so we may rectify in any future
reprint.

Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, trans-
mitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter
invented, including photocopying, microfilming, and recording, or in any information storage or retrieval
system, without written permission from the publishers.

For permission to photocopy or use material electronically from this work, access www.copyright.com or
contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-
8400. For works that are not available on CCC please contact [email protected]

Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used
only for identification and explanation without intent to infringe.

Library of Congress Cataloging-in-Publication Data

Names: Özçelik, İlker, author. | Brooks, R. R. (Richard R.), author.
Title: Distributed denial of service attacks : real-world detection and
mitigation / İlker Özçelik and R.R. Brooks.
Description: Boca Raton : CRC Press, 2020. | Includes bibliographical
references and index.
Identifiers: LCCN 2019058641 | ISBN 9781138626812 (paperback) |
ISBN 9781315213125 (ebook)
Subjects: LCSH: Computer networks--Security measures. | Denial of service
attacks.
Classification: LCC TK5105.59 .O97 2020 | DDC 005.8/7--dc23
LC record available at https://lccn.loc.gov/2019058641

ISBN: 9780367491543 (hbk)

ISBN: 9781138626812 (pbk)
ISBN: 9781315213125 (ebk)

Typeset in CMR
by Nova Techset Private Limited, Bengaluru & Chennai, India
Dedication

This book is the result of many years of research on Distributed Denial of Service DDoS
attacks. A number of students have helped along the way. These included undergraduates,
M. S., and Ph. D. students at Penn State and Clemson Universities. All were advised
or co-advised by Dr. Brooks. Other students of note include Dr. Chris Griffin (Ph.D.
Penn State), Ms. Chinar Dingankar (M.S. Clemson), Ms. Devaki Shah (B. S. Penn State),
and Dr. Glenn Carll (Ph.D. Penn State). We would like to thank Mr. Jim Bottum and
Dr. Kevin McKenzie of Clemson University CCIT who allowed us to utilize Clemson Uni-
versity resources in this work. They both have a clear vision that sees the university’s role
in supporting faculty research. The vast majority of the work in this book was done by
Dr. Özçelik. Dr. Özçelik’s studies at Clemson were supported by the Turkish government.
Both Dr. Brooks and Dr. Özçelik have been fortunate to have supportive students, work
environments and families during this work.

v
 In Loving Memory of My Father
Mustafa Özçelik
Your determination taught me to never give up.

To My Wife Jacqui and Our Sons Ömer James and Ali Joseph
Your love, patience and support made this book possible.
Love y’all.
Contents

Foreword xv

About the Authors xvii

Acknowledgments xix

Preface xxi

Contributors xxiii

1 Introduction 1
1.1 Performance Testing and Analysis of DDoS Detection Approaches . . . . . 2
1.2 Deceiving DDoS Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
1.3 DDoS Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.4 Organization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

2 What is DDoS? 5
2.1 Definition . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
2.2 Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
2.2.1 Resource Saturation . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
2.2.1.1 System/Device Resources . . . . . . . . . . . . . . . . . . . 8
2.2.1.2 Network Bandwidth . . . . . . . . . . . . . . . . . . . . . . 9
2.2.2 Exploiting Vulnerability . . . . . . . . . . . . . . . . . . . . . . . . . 12
2.2.3 Tampering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
2.2.4 Misuse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
2.2.4.1 Fragmentation and Reassembly . . . . . . . . . . . . . . . . 15
2.2.4.2 TCP-based . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.2.4.3 Low and Slow Attacks . . . . . . . . . . . . . . . . . . . . . 18
2.2.4.4 Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
2.2.4.5 Others . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
2.2.5 Physical Destruction . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
2.3 Botnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
2.3.1 Botnet Architectures . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2.3.2 Botnet Topologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3.2.1 Star . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3.2.2 Multi-server . . . . . . . . . . . . . . . . . . . . . . . . . . 27
2.3.2.3 Hierarchical . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.3.2.4 Random . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
2.3.3 Botnet Resilience and CnC Resolution . . . . . . . . . . . . . . . . . 30
2.3.3.1 IP Flux . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
2.3.3.2 Domain Flux . . . . . . . . . . . . . . . . . . . . . . . . . . 33
2.3.3.3 Blind Proxy Redirection . . . . . . . . . . . . . . . . . . . . 33

vii
viii Contents

2.4 Attack Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

2.4.1 Classification of Attack Tools . . . . . . . . . . . . . . . . . . . . . . 34
2.4.2 Popular Attack Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 36
2.5 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
2.6 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42

3 History and Motivation 43

3.1 A Brief History of Computers and Computer Crime . . . . . . . . . . . . . 44
3.2 DDoS Tools and Technologies . . . . . . . . . . . . . . . . . . . . . . . . . 46
3.2.1 DDoS Bots and Stressers . . . . . . . . . . . . . . . . . . . . . . . . 46
3.2.2 Botnets . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.2.3 Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
3.2.4 DNS DDoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.2.5 BGP Exploits . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
3.3 DDoS History . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.3.1 Early DoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
3.3.2 Hackers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.3.2.1 L0pht . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.3.2.2 Mafiaboy . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
3.3.3 Commercial Exploitation . . . . . . . . . . . . . . . . . . . . . . . . 53
3.3.3.1 DDoS for Hire . . . . . . . . . . . . . . . . . . . . . . . . . 53
3.3.3.2 Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3.3.4 Censorship . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.3.4.1 Myanmar . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.3.4.2 Kyrgyzstan . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
3.3.4.3 Kazakh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.3.4.4 Iran . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.3.4.5 Vietnam . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.3.4.6 Radio Free Europe/Radio Liberty . . . . . . . . . . . . . . 56
3.3.4.7 Krebs on Security . . . . . . . . . . . . . . . . . . . . . . . 56
3.3.5 Cyberwar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
3.3.5.1 Hainan . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.3.5.2 Estonia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.3.5.3 Georgia . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
3.3.5.4 Ukraine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.3.5.5 Israel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
3.3.5.6 US and Korea . . . . . . . . . . . . . . . . . . . . . . . . . 59
3.3.6 Hacktivism and/or Terrorism . . . . . . . . . . . . . . . . . . . . . . 59
3.3.6.1 Electronic Disturbance Theater . . . . . . . . . . . . . . . 59
3.3.6.2 Electrohippies . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.3.6.3 Lufthansa . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.3.6.4 Russian Election . . . . . . . . . . . . . . . . . . . . . . . . 60
3.3.6.5 Chanology . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
3.3.6.6 CNN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.3.6.7 Operations Titstorm and Payback . . . . . . . . . . . . . . 61
3.3.6.8 Lizard Squad . . . . . . . . . . . . . . . . . . . . . . . . . . 61
3.3.6.9 Black Lives Matter . . . . . . . . . . . . . . . . . . . . . . 62
3.3.6.10 Syrian Electronic Army . . . . . . . . . . . . . . . . . . . . 62
3.3.6.11 Daesh . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
3.3.7 Internet Blackouts . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Contents ix

3.4 Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
3.5 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
3.6 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

4 Legal Considerations 67
4.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
4.2 Laws against DDoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
4.3 Jurisdiction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4.4 DDoS Liability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
4.5 Protest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
4.6 Cyberwar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
4.7 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
4.8 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
4.9 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

5 DDoS Research: Traffic 75

5.1 Dataset . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
5.1.1 Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
5.1.2 Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
5.2 Traffic Generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.2.1 Approaches . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
5.2.2 Tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
5.2.2.1 Stress Testing / Attack Traffic Generation Tools . . . . . . 82
5.2.2.2 Background Traffic Generation Tools . . . . . . . . . . . . 84
5.2.2.3 Replay Tools . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.3 (D)DoS Benchmark Datasets . . . . . . . . . . . . . . . . . . . . . . . . . . 86
5.4 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
5.5 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
5.6 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91

6 DDoS Research: Testing 93

6.1 Network Simulators / Emulators . . . . . . . . . . . . . . . . . . . . . . . . 93
6.1.1 Popular Network Simulators / Emulators . . . . . . . . . . . . . . . 94
6.1.1.1 NS2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 94
6.1.1.2 NS3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
6.1.1.3 OMNET++ . . . . . . . . . . . . . . . . . . . . . . . . . . 95
6.1.1.4 Shadow . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
6.1.1.5 GNS3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
6.1.1.6 IMUNES . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
6.1.1.7 CORE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
6.1.1.8 Mininet . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
6.1.1.9 VNX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
6.1.1.10 Wistar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
6.2 Network Testbeds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
6.2.1 Technologies and Concepts . . . . . . . . . . . . . . . . . . . . . . . 99
6.2.2 Popular Network Testbeds . . . . . . . . . . . . . . . . . . . . . . . . 101
6.2.2.1 Emulab . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6.2.2.2 PlanetLab . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
6.2.2.3 GENI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
6.2.2.4 KREONET . . . . . . . . . . . . . . . . . . . . . . . . . . 102
6.2.2.5 FIRE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
Visit https://textbookfull.com
now to explore a rich
collection of eBooks, textbook
and enjoy exciting offers!
x Contents

6.2.2.6 SAVI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

6.2.2.7 JGN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102
6.3 Case Study - Network Mirroring . . . . . . . . . . . . . . . . . . . . . . . . 103
6.3.1 Experiment Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
6.3.2 Advantages of Experiment Setup . . . . . . . . . . . . . . . . . . . . 105
6.4 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
6.5 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106

7 DDoS Research: Evaluation 107

7.1 Performance Evaluation Metrics . . . . . . . . . . . . . . . . . . . . . . . . 107
7.1.1 Detection Performance . . . . . . . . . . . . . . . . . . . . . . . . . . 108
7.1.2 Mitigation Performance . . . . . . . . . . . . . . . . . . . . . . . . . 111
7.1.3 System Cost . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
7.1.4 Qualitative Evaluation . . . . . . . . . . . . . . . . . . . . . . . . . . 112
7.2 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
7.3 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
7.4 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

8 Attack Detection 115

8.1 Classification of DDoS Detection Algorithms . . . . . . . . . . . . . . . . . 115
8.2 An Empirical Study: DDoS Detection Using Operational Network Data . . 117
8.2.1 Literature . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
8.2.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119
8.2.2.1 Cumulative Sum (CUSUM) . . . . . . . . . . . . . . . . . . 119
8.2.2.2 Wavelet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
8.2.2.3 Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
8.2.3 Performance Testing Using Operational Network Data . . . . . . . . 123
8.2.3.1 Traffic Volume-based Detection . . . . . . . . . . . . . . . . 123
8.2.3.2 Entropy-based Detection . . . . . . . . . . . . . . . . . . . 132
8.2.3.3 Comparison and Discussion . . . . . . . . . . . . . . . . . . 132
8.2.4 Cusum-Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
8.2.4.1 Cusum - Entropy Algorithm . . . . . . . . . . . . . . . . . 135
8.3 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137
8.4 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137

9 Deceiving DDoS Detection 139

9.1 A Case Study: Deceiving Entropy-based DDoS Detection Systems . . . . . 140
9.1.1 Entropy Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
9.1.1.1 Controlling Entropy Value . . . . . . . . . . . . . . . . . . 142
9.1.2 Experimental Results . . . . . . . . . . . . . . . . . . . . . . . . . . 143
9.1.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
9.2 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148
9.3 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

10 Attack Mitigation 151

10.1 Classification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
10.1.1 Classification-based on Mitigation Time . . . . . . . . . . . . . . . . 151
10.1.1.1 Before An Attack (Prevention) . . . . . . . . . . . . . . . . 152
10.1.1.2 During An Attack (Detection) . . . . . . . . . . . . . . . . 152
10.1.1.3 After An Attack (Reaction / Source Identification) . . . . . 152
Contents xi

10.1.2 Classification-based on Deployment Type . . . . . . . . . . . . . . . 153

10.1.2.1 Centralized . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
10.1.2.2 Distributed . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
10.1.3 Classification-based on Deployment Location . . . . . . . . . . . . . 154
10.1.3.1 Source-based . . . . . . . . . . . . . . . . . . . . . . . . . . 154
10.1.3.2 Destination-based . . . . . . . . . . . . . . . . . . . . . . . 155
10.1.3.3 Network-based . . . . . . . . . . . . . . . . . . . . . . . . . 155
10.1.3.4 Hybrid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
10.1.4 Classification-based on Reaction Place . . . . . . . . . . . . . . . . . 155
10.1.4.1 On The Premises . . . . . . . . . . . . . . . . . . . . . . . 156
10.1.4.2 In The Cloud . . . . . . . . . . . . . . . . . . . . . . . . . . 156
10.1.5 Classification-based on Reaction Type . . . . . . . . . . . . . . . . . 156
10.1.5.1 Filtering-based . . . . . . . . . . . . . . . . . . . . . . . . . 157
10.1.5.2 Increasing Attack Surface . . . . . . . . . . . . . . . . . . . 158
10.1.5.3 Moving Target . . . . . . . . . . . . . . . . . . . . . . . . . 160
10.2 Content Delivery Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
10.3 Deflect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
10.4 DDM: Dynamic DDoS Mitigation System . . . . . . . . . . . . . . . . . . 170
10.4.1 DDM Building Blocks . . . . . . . . . . . . . . . . . . . . . . . . . . 171
10.4.1.1 Resource Manager . . . . . . . . . . . . . . . . . . . . . . . 172
10.4.1.2 DNS Module . . . . . . . . . . . . . . . . . . . . . . . . . . 172
10.4.1.3 Deflect Module . . . . . . . . . . . . . . . . . . . . . . . . . 173
10.4.1.4 Data Collection Module . . . . . . . . . . . . . . . . . . . . 175
10.4.1.5 Decision Module . . . . . . . . . . . . . . . . . . . . . . . . 175
10.4.1.6 DDM Controller . . . . . . . . . . . . . . . . . . . . . . . . 175
10.4.2 DDM Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 176
10.4.2.1 Attack Scenarios . . . . . . . . . . . . . . . . . . . . . . . . 178
10.4.2.2 Test Results . . . . . . . . . . . . . . . . . . . . . . . . . . 180
10.4.3 Discussion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
10.5 DDoS Mitigation Using Game Theory . . . . . . . . . . . . . . . . . . . . . 190
10.5.1 Distributed Denial of Service Mitigation Approach - Traffic Flow . . 192
10.5.1.1 Player 1 - Blue . . . . . . . . . . . . . . . . . . . . . . . . . 193
10.5.1.2 Player 2 - Red . . . . . . . . . . . . . . . . . . . . . . . . . 197
10.5.2 Distributed Denial of Service Mitigation Approach - Reconfiguration
Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
10.5.2.1 Game . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204
10.5.2.2 Sum of Games and Thermographs . . . . . . . . . . . . . . 207
10.6 Economic Denial of Sustainability . . . . . . . . . . . . . . . . . . . . . . . 218
10.7 Discussion and Comparison . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
10.8 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
10.9 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

11 Security and DDoS in SDN: Opportunities and Challenges 223

Mehmet Demirci
11.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
11.2 Fundamentals of SDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
11.3 Improving Network Security with SDN . . . . . . . . . . . . . . . . . . . . 225
11.3.1 Implementing Flexible and Cost-effective Security Functions . . . . . 226
11.3.2 Deception and Moving Target Defense . . . . . . . . . . . . . . . . . 227
11.3.3 Securing Protocols against Spoofing . . . . . . . . . . . . . . . . . . 228
11.3.4 Other Opportunities . . . . . . . . . . . . . . . . . . . . . . . . . . . 230
xii Contents

11.4 New Security Threats against SDN . . . . . . . . . . . . . . . . . . . . . . 231

11.4.1 Reconnaissance against SDN . . . . . . . . . . . . . . . . . . . . . . 232
11.4.2 Taking Advantage of the Widened Attack Surface . . . . . . . . . . 233
11.5 DDoS in SDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
11.5.1 New DDoS Attacks Threatening SDN . . . . . . . . . . . . . . . . . 234
11.5.2 Using SDN for Better DDoS Defense . . . . . . . . . . . . . . . . . . 235
11.6 Discussion and Future Trends . . . . . . . . . . . . . . . . . . . . . . . . . 236
11.7 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
11.8 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

12 Denial of Service Attack in Control Systems 239

Zoleikha Abdollahi Biron and Pierluigi Pisu
12.1 DoS Attack in Cyber Physical Systems . . . . . . . . . . . . . . . . . . . . 240
12.2 Modeling DoS Attack From Control Perspective . . . . . . . . . . . . . . . 243
12.3 DoS Attack Estimation and Countermeasure . . . . . . . . . . . . . . . . . 244
12.3.1 Overview on Observer Design and Diagnostics . . . . . . . . . . . . 244
12.3.2 Adaptive Observer Design . . . . . . . . . . . . . . . . . . . . . . . . 246
12.4 Proposed Algorithm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 247
12.5 Case Study and Simulation Results . . . . . . . . . . . . . . . . . . . . . . 251
12.6 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 258
12.7 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

13 Denial of Service Attack on Phasor Measurement Unit1 261

Paranietharan Arunagirinathan, Richard R. Brooks, Iroshani Jayawardene, Dulip
Tharaka Madurasinghe, Ganesh Kumar Venayagamoorthy, Fu Yu, and Xingsi Zhong
13.1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
13.2 Background . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
13.2.1 The Synchrophasor Protocol . . . . . . . . . . . . . . . . . . . . . . 262
13.2.2 Security Gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
13.2.3 Side-Channel Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . 264
13.2.3.1 Hidden Markov Models . . . . . . . . . . . . . . . . . . . . 265
13.2.4 Man-In-The-Middle Attack . . . . . . . . . . . . . . . . . . . . . . . 266
13.3 Two-Area Four Machine Power System with Utility-Scale PV Plant and
PMUs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266
13.3.1 PMU Traffic Separation Algorithm . . . . . . . . . . . . . . . . . . . 268
13.3.2 DoS Attack on PMU Measurement Traffic . . . . . . . . . . . . . . . 270
13.4 AGC Operation Under Attack . . . . . . . . . . . . . . . . . . . . . . . . . 271
13.4.1 Experimental Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
13.5 Consequences of DoS Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . 272
13.5.1 Fault and Attack without Countermeasure . . . . . . . . . . . . . . . 272
13.5.2 Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
13.6 Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
13.7 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
13.8 Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

14 DDoS Lab 279

14.1 Toolbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
14.1.1 Wireshark / tshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279
14.1.2 Scapy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280
14.1.3 JMeter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
14.1.4 Apache Traffic Server (ATS) . . . . . . . . . . . . . . . . . . . . . . 282
Contents xiii

14.1.5 Apache HTTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . 282

14.1.6 BIND Domain Name Server . . . . . . . . . . . . . . . . . . . . . . . 282
14.1.7 Virtualbox . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282
14.1.8 Deflect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
14.1.9 Distributed DDoS Mitigation Tool (DDM) . . . . . . . . . . . . . . . 284
14.2 Lab Guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284
14.2.1 Data Handling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
14.2.1.1 Course Background . . . . . . . . . . . . . . . . . . . . . . 285
14.2.1.2 Attestation . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
14.2.2 Assignment / Project Report . . . . . . . . . . . . . . . . . . . . . . 287
14.2.2.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . 287
14.2.2.2 Methodology . . . . . . . . . . . . . . . . . . . . . . . . . . 287
14.2.2.3 Results . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
14.2.2.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
14.2.2.5 Comments . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
14.2.2.6 Bibliography . . . . . . . . . . . . . . . . . . . . . . . . . . 288
14.2.2.7 Appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
14.3 Assignments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
14.3.1 Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
14.3.1.1 Sniffing Network . . . . . . . . . . . . . . . . . . . . . . . . 289
14.3.1.2 Man in the Middle . . . . . . . . . . . . . . . . . . . . . . . 291
14.3.1.3 Spoofing . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292
14.3.1.4 Network Background Traffic Generation . . . . . . . . . . . 294
14.3.1.5 DDoS Simulation . . . . . . . . . . . . . . . . . . . . . . . 297
14.3.1.6 Syn Flood . . . . . . . . . . . . . . . . . . . . . . . . . . . 298
14.3.1.7 Bandwidth Starvation Attack . . . . . . . . . . . . . . . . . 300
14.3.1.8 Amplification / Reflection . . . . . . . . . . . . . . . . . . . 302
14.3.1.9 HTTP GET / POST . . . . . . . . . . . . . . . . . . . . . 304
14.3.2 Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306
14.3.2.1 Thresholding . . . . . . . . . . . . . . . . . . . . . . . . . . 308
14.3.2.2 Cusum . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
14.3.2.3 Cusum - Wavelet . . . . . . . . . . . . . . . . . . . . . . . . 308
14.3.2.4 Wavelet - Cusum . . . . . . . . . . . . . . . . . . . . . . . . 309
14.3.2.5 Entropy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
14.3.2.6 Questions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 309
14.3.3 Deception . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
14.3.4 Mitigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 311

15 Conclusion 319
15.1 Analysis and Conclusions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
15.2 Suggestions for Future Research . . . . . . . . . . . . . . . . . . . . . . . . 320
15.3 Final Words . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

16 Appendix 323
Xingsi Zhong and Oluwakemi Ade Aina
16.1 Generate TCP Traffic with Ostinato . . . . . . . . . . . . . . . . . . . . . . 323
16.2 Mininet Quick Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
16.2.1 Mininet Quick Hands-On . . . . . . . . . . . . . . . . . . . . . . . . 327
16.2.1.1 Install Mininet . . . . . . . . . . . . . . . . . . . . . . . . . 327
16.2.1.2 Access Mininet VM . . . . . . . . . . . . . . . . . . . . . . 328
16.2.1.3 Start and Stop Mininet . . . . . . . . . . . . . . . . . . . . 328
xiv Contents

16.2.2 Mininet Lab Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329

16.2.2.1 Create a Topology . . . . . . . . . . . . . . . . . . . . . . . 329
16.2.2.2 Run Applications on the Network . . . . . . . . . . . . . . 330
16.3 NS2 DDoS Simulation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 332
16.3.1 Explanation of Script “attack.tcl” . . . . . . . . . . . . . . . . . . . 333
16.3.1.1 Key Concepts . . . . . . . . . . . . . . . . . . . . . . . . . 333
16.3.1.2 Explanation of the Script . . . . . . . . . . . . . . . . . . . 334
16.3.1.3 SYN Flood . . . . . . . . . . . . . . . . . . . . . . . . . . . 337
16.4 TCP SYN Flooding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 338
16.4.1 Set up the Victim Server . . . . . . . . . . . . . . . . . . . . . . . . 338
16.4.1.1 Set up a Web Server . . . . . . . . . . . . . . . . . . . . . . 338
16.4.1.2 Toggle The SYN Settings . . . . . . . . . . . . . . . . . . . 339
16.4.2 Client Script . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
16.4.3 Lunch the Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
16.5 DNS Amplification Attack . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
16.5.1 Simple DNS Request . . . . . . . . . . . . . . . . . . . . . . . . . . . 340
16.5.2 A Spoofed DNS Request . . . . . . . . . . . . . . . . . . . . . . . . . 340
16.5.3 Build a DNS Record on the Master DNS Server . . . . . . . . . . . . 340
16.5.4 DNS Amplification Attack . . . . . . . . . . . . . . . . . . . . . . . . 341
16.5.4.1 Attack Performance . . . . . . . . . . . . . . . . . . . . . . 342
16.6 Elastic CDN Assignment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342
16.6.1 Reverse Cache Proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . 343
16.6.2 DNS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
16.6.3 Scale Up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346

Bibliography 347

Index 391
Foreword

This book started with empirical experiments exploring how DDoS attacks work in the real
world. We were lucky that Clemson University Chief Information Security Officer (Dr. Kevin
McKenzie) and Chief Information Officer (Mr. Jim Bottum) were dedicated to supporting
university faculty performing research. This created fertile soil, which we are grateful for.
This book concentrates on studying, understanding, and minimizing the impact of Dis-
tributed Denial of Service (DDoS) attacks. We used this text to teach a DDoS special topics
course three times. This course is a permanent offering in the Holcombe Department of Elec-
trical and Computer Engineering at Clemson University. There are several motivations for
this course:
1. DDoS is an ongoing problem in network security. The number and volume of
DDoS attacks is growing;
2. Several members of our faculty had expressed interest in adding to our curriculum
a course that integrated computer networks and security;
3. The DDoS topic is technically and socially interesting;
4. DDoS is used by several different attackers for different reasons, including: gov-
ernments to stifle dissent, companies to weaken their competition, criminals to
blackmail victims, and activists to show their anger;
5. DDoS is at the intersection of network design, performance, and security, which
allows us to deepen the student’s understanding in all of these domains with one
course; and
6. Our research projects provided us with sufficient depth and insight to present a
unique experience to our students.
This course fits neatly into networking and security curricula. Students should acquire
important networking skills and improve their understanding of how to design, monitor,
and manage networks.
Effort has been taken to make this book accessible, but it is a university level technical
textbook for graduate students of computer science and/or engineering. Technical details are
provided. This book is not a superficial overview. The contents of this book can be valuable
for working engineers, technologists, researchers, and interested parties. The information
given should be useful for readers willing to invest effort. It is not suited for non-technical
readers or leisure reading.

xv
About the Authors

Dr. Brooks’ background includes managing computer networks that span continents, per-
forming sponsored research, and teaching university classes. His research has been sponsored
by both government and industry, including:
• The Office of Naval Research (ONR),
• The Air Force Office of Scientific Research (AFOSR),

• The National Institute of Standards and Technology (NIST),

• The National Science Foundation (NSF),
• The Army Research Office (ARO),
• The United States Department of State,
• The Defense Advanced Research Projects Agency (DARPA), and
• BMW Manufacturing Corporation.
He has a B.A. in Mathematical Sciences from The Johns Hopkins University Whiting
School of Engineering, and a Ph.D. in Computer Science from Louisiana State University.
He has worked in the United States, France, Germany, Africa, Eastern Europe and
the former Soviet Union. His consulting clients include the World Bank and French stock
exchange authority. Dr. Brooks was head of the Distributed Systems Department of The
Pennsylvania State University Applied Research Laboratory (PSU/ARL) for seven years.
He has been an Associate Professor with the Holcombe Department of Electrical and Com-
puter Engineering of Clemson University since 2004.

Dr. Özçelik’s background includes both researching network security and teaching uni-
versity classes in the electrical engineering program. He has organized many cyber security
awareness workshops and has given speeches to attendees from both government agencies
and private industries in Turkey. He also served as a member of the Cyber Security Working
Group at the Council of Higher Education in Turkey and Information and the Cyber Secu-
rity National Science and Advisory Board at Information Security Association of Turkey.
Dr. Özçelik has a B.S. in Electronics and Communication Education from Marmara
University, M.S. in Electrical Engineering from the Syracuse University, and Ph.D. in Elec-
trical Engineering from the Holcombe Department of Electrical and Computer Engineering,
Clemson University.
He worked as an Assistant Professor with the Department of Electrical and Electronics
Engineering of Recep Tayyip Erdogan University for three years. He is currently an Assistant
Professor and Department of Computer Engineering at Recep Tayyip Erdogan University.

xvii
Acknowledgments

This material is based upon work supported by, or in part by, the National Science Founda-
tion grants CNS-1049765, OAC-1547245, CNS-1544910, OAC-1642143, Republic of Turkey
Ministry of National Education and The Scientific and Technological Research Council of
Turkey (TUBITAK).
The U.S. Government and the Turkish Government are authorized to reproduce and dis-
tribute reprints for Governmental purposes notwithstanding any copyright notation thereon.
The authors gratefully acknowledge this support and take responsibility for the contents of
this report.
The views and conclusions contained herein are those of the authors and should not be
interpreted as necessarily representing the official policies or endorsements, either expressed
or implied, of the National Science Foundation, The Scientific and Technological Research
Council of Turkey, Republic of Turkey Ministry of National Education, the Turkish Gov-
ernment or the U.S. Government.
The DDoS mitigation chapter extends work done by the eQualit.ie tech collective in
Montreal on the Deflect tool. eQualit.ie has worked with many civil society groups to protect
them from DDoS attacks. Our work benefited greatly from their willingness to share their
expertise, experience and technology. We thank them for their help.
The authors also gratefully acknowledge use of the services and facilities of the Sim-
Center, Center of Excellence in Applied Computational Science and Engineering at the
University of Tennessee at Chattanooga. The authors would also like to give a heartfelt
thanks to the Director of the SimCenter, Dr. Antony Skjellum.

xix
Visit https://textbookfull.com
now to explore a rich
collection of eBooks, textbook
and enjoy exciting offers!
Preface

The Internet has become critical infrastructure. It is not only a critical backbone of our
communications infrastructure, but we depend on it for news, entertainment, and education.
In addition to that, smart grid control signals pass through the Internet; our financial
and commercial interactions depend on the Internet functioning; and emergency incident
response uses Internet infrastructure.
Reliance on Internet infrastructure has come about because of the numerous advantages
in terms of convenience, efficiency, and reliability that the Internet provides. Unfortunately,
our reliance on the Internet has a dark side. Once we rely on a system, some people can
take advantage of that dependence. Many reasons exist for disrupting the Internet; they
include:
• Financial gain,
• Political reasons,
• Terror,
• Fun, or
• Censorship.
A full discussion of motivations and how they have changed over time is in Chapter 3.
In addition to there being many reasons for disrupting the network, it is relatively
1. easy to do,
2. hard to identify attackers, and
3. challenging to protect yourself against.
This results in an ongoing problem with economic and social impact.
This book is designed to support a course in Distributed Denial of Service (DDoS)
attacks, which helps students understand:
• how DDoS works,
• how DDoS attacks can be detected, and
• how these attacks can be mitigated.
The curriculum we provide includes a set of hands-on projects for students to execute
that will provide them with a combination of theoretical understanding and practical skills.
Chapter 14 explains how to put the necessary laboratory infrastructure in place. Chap-
ters 8, 9, and 10 contain most of the necessary exercises.
Skills that students will learn, include:
1. How to install IP networks,
2. How to monitor IP networks,
3. How Software Defined Networking (SDN) works,
4. How to evaluate DDoS detection results, and
5. How to set up a simple content distribution network to mitigate the impact of
DDoS attacks.

xxi
xxii Preface

The textbook starts with a definition of Denial of Service and a discussion of many of
the common tools used to cause them. We follow that by a historical discussion, which is
augmented by explanations of legal considerations.
Sometimes it is hard to distinguish between simple malfunctions and malicious activity.
Similarly, reasons for performing DDoS attacks vary. While extortion and blackmail are
clearly illegal, it could be unclear at what point a demonstration of displeasure moves from
legitimate protest to illegal destruction of property. We also note that legitimate protests
can have legal consequences.
Chapters are provided that give in depth discussion of some current DoS research topics.
These include the impact of DoS on control systems and the smart grid.
The course structure we follow uses Chapters 2 through 10 sequentially. The first few
chapters take less time to execute. They are readings and lectures. The chapters that are
based on in class exercises will take more time and should include time for student work to
be corrected.
Optionally, the instructor could include one of the in depth research chapters on either
control theory or the smart grid. These topics are particularly relevant given the growing
importance of the Internet of Things (IoT).
Contributors

Oluwakemi Ade Aina Dulip Tharaka Madurasinghe

Dell EMC Real-Time Power and Intelligent Systems
San Francisco, California Laboratory
Holcombe Department of Electrical and
Paranietharan Arunagirinathan Computer Engineering
Clemson University
Real-Time Power and Intelligent Systems
Clemson, South Carolina
Laboratory
Holcombe Department of Electrical and Pierluigi Pisu
Computer Engineering Department of Automotive Engineering
Clemson University Holcombe, Radstock, UK
Clemson, South Carolina
and
Zoleikha Abdollahi Biron Department of Electrical and Computer
Department of Electrical and Computer Engineering
Engineering Clemson University
University of Florida Clemson, South Carolina
Gainesville, Florida
Ganesh Kumar Venayagamoorthy
Real-Time Power and Intelligent Systems
Richard R. Brooks
Laboratory
Real-Time Power and Intelligent Systems Holcombe Department of Electrical and
Laboratory Computer Engineering
Holcombe Department of Electrical and Clemson University
Computer Engineering Clemson, South Carolina
Clemson University
Clemson, South Carolina Fu Yu
Palo Alto Networks
Mehmet Demirci Santa Clara, California
Department of Computer Engineering
Xingsi Zhong
Gazi University
Palo Alto Networks
Ankara, Turkey
Santa Clara, California

Iroshani Jayawardene and

Real-Time Power and Intelligent Systems
Laboratory
Holcombe Department of Electrical and
Computer Engineering
Clemson University
Clemson, South Carolina
Real-Time Power and Intelligent Systems
Laboratory
Holcombe Department of Electrical and
Computer Engineering
Clemson University
Clemson, South Carolina

xxiii
Random documents with unrelated
content Scribd suggests to you:
The Project Gutenberg eBook of Swedish fairy
tales
This ebook is for the use of anyone anywhere in the United States
and most other parts of the world at no cost and with almost no
restrictions whatsoever. You may copy it, give it away or re-use it
under the terms of the Project Gutenberg License included with this
ebook or online at www.gutenberg.org. If you are not located in the
United States, you will have to check the laws of the country where
you are located before using this eBook.

Title: Swedish fairy tales

Author: Herman Hofberg

Translator: Willard Henry Myers

Release date: March 3, 2024 [eBook #73093]

Language: English

Original publication: Chicago: Belford-Clarke Co, 1888

Credits: Jeroen Hellingman and the Online Distributed Proofreading

Team at https://www.pgdp.net/ for Project Gutenberg (This
file was produced from images generously made available
by The Internet Archive/American Libraries.)

*** START OF THE PROJECT GUTENBERG EBOOK SWEDISH

FAIRY TALES ***
[Contents]

[1]

[Contents]
SWEDISH FAIRY TALES

BY
HERMAN HOFBERG.
TRANSLATED BY W. H. MYERS.

CHICAGO:
BELFORD-CLARKE CO.
1890.
[2]

[Contents]

COPYRIGHT BY
BELFORD, CLARKE & CO.
1888. [3]

[Contents]
 Author’s Preface.

It is probably known to most readers that there is a distinction between

Tradition and Saga. Tradition has, or at least seems to have, to do with
facts, usually designating some particular spot or region where the
incident is said to have taken place, often even giving the names of
actors, while the Saga is entirely free in its scope, equally as regards
incident, and the time and place of its happening. Not infrequently the
traditions of a people are founded upon actual historical occurrences,
which, often repeated in the naïve manner of the peasantry, become,
finally, folk-lore. A great many are, however, drawn from ancient myths,
which, in time, become clad in historical garb, and are located in some
particular place.

We already possess various collections of traditions drawn from the rich

treasury of our peasantry, but up to the present there has been no
attempt at a formulated compilation of Swedish folk-lore. As I now put
into the hands of the public such a collection, I ought to state that I have
thought it better to select the most typical of our traditions than to gather
everything that I might in this line, much of which has already been
written, and which would require a many times larger volume, and
occasion a repetition of the same matter when occurring, as many do, in
different localities. Instead, I have accompanied each tale with a
historical and ethnographical note in which I have so stated if the
tradition is found in different places.

The illustrations are the product of several among our best artists.
Without doubt, the book has thereby been added to greatly, not only in
outer adornment, but even in national and intrinsic value. [4]
[Contents]
 Translator’s Preface.

An interest in the Swedish people, their language, their literature and

history; the important part the traditions of a people play in their history,
character and domestic life, and that the traditions of the world play in
its history and that of mankind, and that I would, if possible, add to the
growing interest in that far-away, beautiful country, and that generous,
hospitable people, have been the incentives to the labor involved in this
translation; a labor not unmixed with pleasure, and not a little of that
pleasure coming from the encouragement of my Swedish
acquaintances.

No embellishment and not more than a faithful reproduction of the

author’s ideas have been attempted, and I shall be happy, indeed, if I
have done so excellent a writer as Mr. Hofberg, approximate justice in
this regard.

I have taken the liberty to leave out a number of the author’s notes as
unimportant, and not likely to interest the general reader, also to follow
the stories with their notes instead of grouping them in the back of the
book as in the original. [5]

[Contents]
 Contents.
PAGE.

AUTHOR’S PREFACE, 3
TRANSLATOR’S PREFACE, 4
SKÅNE.
LJUNGBY HORN AND PIPE, 31
STOMPE PILT, 15
THE GHOST AT FJELKINGE, 28
THE GIANT FINN AND LUND’S CATHEDRAL, 17
THE LORD OF ROSENDAL, 20
THE MASTER OF UGERUP, 23
THE SURE SHOT, 11
BLEKINGE.
THE KNIGHT OF ELLENHOLM, 39
THE SWAN MAIDEN, 35
SMÅLAND.
DAME SOÅSAN, 47
EBBE SKAMELSON, 60
JOHAN AND THE TROLLS, 65
KATRINEHOLM MANOR, 55
KETTIL RUNSKE, 45
THE GIANT PUKE, 52
THE LOST TREASURE, 69
THE TROLLS OF SKURUGATA, 42
GÖTLAND.
THE BYSE, 77
THE SEA NYMPH, 75
THE TEN FAIRY SERVANTS, 71
ÖLAND. [6]
 THE BRIDGE OVER KALMARSOUND, 78
HALLAND.
ELSTORPS WOODS, 84
THE FREEBOOTER’S GRAVE, 89
THE PIGMY OF FOLKARED’S CLIFF, 86
THE YOUNG LADY OF HELLERUP, 80
BOHUSLÄN.
GLOSHED’S ALTAR, 95
HÅLDE-HAT, 99
KING RANE AND QUEEN HUDTA, 107
THE BRIDAL PRESENT, 97
THE CHILD PHANTOM, 105
THE GIANT MAIDEN IN BORÅSERÖD MOUNTAIN, 91
THE GOLDEN CRADLE, 102
VESTERGÖTLAND.
BISHOP SVEDBERG AND THE DEVIL, 117
THE COUNTESS OF HÖJENTORP, 111
THE GIANT OF SKALUNDA, 113
THE KNIGHTS OF ÅLLABERG, 109
THE TREASURE IN SÄBY CREEK, 119
THE TROLLS IN RESSLARED, 115
ÖSTERGÖTLAND.
LADY BARBRO OF BROKIND, 129
THE CAT OF NORRHULT, 126
THE TOMTS, 122
THE TROLL SHOES, 134
THE URKO OF NORTH WIJ, 131
DAL.
BURIED ALIVE, 140
THE MOUNTAIN KITCHEN, 138
THE WOOD AND THE SEA NYMPHS, 136
VERMANLAND. [7]
 JONAS SPITS, 141
LADY RANGELA OF EDSHOLM, 143
SAXE OF SAXEHOLM, 145
THE HARVESTERS, 149
THE POLITE COAL BURNER, 147
NÄRIKE.
KATE OF YSÄTTER, 155
RUGGA BRIDGE, 153
THE ELVES’ DANCE, 159
THE FIDDLER AND THE SEA NYMPH, 162
THE ULFGRYT STONES, 150
VESTERMANLAND.
BOLSTRE CASTLE, 174
THE COAL BURNER AND THE TROLL, 169
THE SNIPE, 164
TIBBLE CASTLE AND KLINTA SPRING, 166
SÖDERMANLAND.
LAKE GOLDRING, 184
THE CHANGELINGS, 176
THE LADY OF PINTORP, 179
THE TROLL GARDEN AT STALLSBACKE, 187
UPLAND.
HERR MELKER OF VECKHOLM, 189
THE OLD MAN OF LOGGA, 192
DALARNE.
BÖLSBJÖRN, 197
THE LAPP IN MAGPIE FORM, 200
THE PLAGUE, 203
THE TREASURE SEEKERS, 198
THE WATER NYMPH, 194
GESTRIKLAND.
THE VÄTTERS, 205
 HELSINGLAND.
FORSSA CHURCH, 208
MEDELPAD.
STARKAD AND BALE, 209
ÅNGERMANLAND. [8]
THE BELL IN SJÄLEVAD, 212
HERJEDALEN.
THE VÄTTS STOREHOUSE, 214
JÄMTLAND.
THE STONE IN GRÖNAN DAL, 216
VESTERBOTTEN.
THE VOYAGE IN A LAPP SLED, 218
LAPPLAND.
KADNIHAK, 227
THE CUNNING LAPP, 224
THE GIANT’S BRIDE, 221
THE LAPP GENESIS OR THE FIRST OF MANKIND, 219

[9]

[Contents]
 List of Illustrations.
PAGE.

BISHOP SVEDBERG AND THE DEVIL, 117

BOLSTRE CASTLE, 174
DAME SOÅSAN, 47
HÅLDE-HAT, 99
HERR MELKER IN VECKHOLM, 189
JOHAN AND THE TROLLS, 65
JONAS SPITS, 141
KATE OF YSÄTTER, 155
KATRINEHOLM MANOR, 55
LADY BARBRO OF BROKIND, 129
STARKAD AND BALE, 209
THE BRIDGE OVER KALMARSOUND, 78
THE BELL IN SJÄLEVAD, 212
THE CHILD PHANTOM, 105
THE COAL BURNER AND THE TROLL, 169
THE CUNNING LAPP, 224
THE ELVES’ DANCE, 159
THE GHOST OF FJELKINGE, 28
THE GIANT MAIDEN IN BORÅSERÖD MOUNTAIN, 91
THE GIANT OF SKALUNDA, 113
THE KNIGHTS OF ÅLLABERG, 109
THE LADY OF PINTORP, 179
THE LAPP IN MAGPIE FORM, 200
THE LORD OF ROSENDAL, 20
THE MOUNTAIN KITCHEN, 138
THE PIGMY OF FOLKARED CLIFF, 86
THE POLITE COAL BURNER, 147
 THE SNIPE, 164
THE STONE IN GRÖNAN DAL, 216
THE SURE SHOT, 11
THE SWAN MAIDEN, 35
THE TEN FAIRY SERVANTS, 71
THE TOMTS, 122
THE TROLL GARDEN AT STALLSBACKE, 187
THE TROLLS OF SKURUGATA, 41
THE TROLL SHOES, 134
THE ULFGRYT STONES, 150
THE VÄTTERS, 205
THE VÄTTS STOREHOUSE, 214
THE WATER NYMPH, 194
THE YOUNG LADY OF HELLERUP, 80

[11]
[Contents]
 The Sure Shot. 1

It is not alone in Bohemia’s mountainous regions that the romantic

characters are found which form the [12]basis of Weber’s immortal
fictions. Similar traditions are current in many lands, especially in
ours, one of which we will now relate.

In the artless fancy of the peasantry the means of acquiring the

power of unerring aim are many, the most usual by compact with the
Fairies or Wood Nymphs. While the compact lasts the possessor,
sitting at his hut door, needs only to wish, and the game of his choice
springs into view, and within range of his never-failing gun. Such a
compact, however, invariably ends in the destruction of the hunter.

Many years ago there was a watchman up in the Göinge regions, a

wild fellow, who, one evening, while drinking with his neighbors, more
tipsy and more talkative as the hour grew late, boasted loudly of his
marksmanship, and offered to wager that, with his trusty gun, he
could give them such an exhibition of skill as they had never before
seen.

“There goes, as I speak,” said he, “a roe on Halland’s Mountains.”

His companions laughed at him, not believing that he could know

what was transpiring at a distance of several miles, which was the
least that lay between them and the spot indicated.

“I will wager you that I need go no farther than the door to shoot him
for you,” persevered the watchman in defiant tones.

“Nonsense!” said the others.